On 2011-08-11, Curt Arnold wrote: > On Aug 10, 2011, at 10:38 AM, Stefan Bodewig wrote: >> I'd propose to not keep the signing key of future releases secret but >> simply keep the full keypair inside the source tree.
>> Stefan > I'm fine with that as long as it is a different key than that which > signed the earlier releases which had some at least implied promise of > signing key secrecy that we should not undo. +1 That's why I proposed it for future releases. > Likely that would mean that we would need to build assemblies with the > previous key for those who want a dropin replacement for earlier > log4net and figure out if we want to distribute compiled assembles > with the open key or just distribute the source. Right now I'd lean towards making breaking changes for a 1.3.x line of releases and using the new key there, I'm not sure whether signing those with the old key would be useful at all. As for distributions, I think the community needs to rethink what type of assemblies should be distributed anyway - I'm not convinced separate Mono assemblies are needed anymore, for example. There may be value in assemblies that are not strong named at all in addition to those signed with an open key. Stefan
